From bb21f169fd7b93e384b6980fe5c932578c97cc78 Mon Sep 17 00:00:00 2001
From: Salvatore Orlando <sorlando@vmware.com>
Date: Mon, 26 Jul 2021 23:08:11 -0700
Subject: [PATCH] NSX PI: Do not use deprecated API when registering identity

With this change deprecated endpoints and the deprecated permission_group
parameter won't be used anymore.
The identity will now be created with the enterprise_admin role.

Change-Id: Ie202c78487a5273ddb58923e7479157c1da091a1
---
 vmware_nsxlib/tests/unit/v3/test_cert.py | 20 +++++---------------
 vmware_nsxlib/v3/client_cert.py          |  5 ++---
 vmware_nsxlib/v3/trust_management.py     |  3 +--
 3 files changed, 8 insertions(+), 20 deletions(-)

diff --git a/vmware_nsxlib/tests/unit/v3/test_cert.py b/vmware_nsxlib/tests/unit/v3/test_cert.py
index 5f0d5840..0fb2aa96 100644
--- a/vmware_nsxlib/tests/unit/v3/test_cert.py
+++ b/vmware_nsxlib/tests/unit/v3/test_cert.py
@@ -72,13 +72,9 @@ class NsxV3ClientCertificateTestCase(nsxlib_testcase.NsxClientTestCase):
                              'error_message': 'bad luck'}))
 
     def _get_mocked_trust(self, action, cert_pem):
-
         fake_responses = []
         if 'create' in action:
-            # import cert and return its id
-            results = [{'id': self.cert_id}]
-            fake_responses.append(self._get_mocked_response(201, results))
-            # and then bind this id to principal identity
+            # Create principal identity with cert
             fake_responses.append(self._get_mocked_response(201, []))
 
         if 'delete' in action:
@@ -119,18 +115,12 @@ class NsxV3ClientCertificateTestCase(nsxlib_testcase.NsxClientTestCase):
         """Verify API calls to create cert and identity on backend"""
         # verify API call to import cert on backend
         base_uri = 'https://1.2.3.4/api/v1/trust-management'
-        uri = base_uri + '/certificates?action=import'
-        expected_body = {'pem_encoded': cert_pem}
-        test_client.assert_json_call('post', mocked_trust.client, uri,
-                                     single_call=False,
-                                     data=jsonutils.dumps(expected_body))
-
-        # verify API call to bind cert to identity on backend
-        uri = base_uri + '/principal-identities'
+        # verify API call to create identity with cert on backend
+        uri = base_uri + '/principal-identities/with-certificate'
         expected_body = {'name': self.identity,
+                         'certificate_pem': cert_pem,
                          'node_id': self.node_id,
-                         'permission_group': 'read_write_api_users',
-                         'certificate_id': self.cert_id,
+                         'role': 'enterprise_admin',
                          'is_protected': True}
         test_client.assert_json_call('post', mocked_trust.client, uri,
                                      single_call=False,
diff --git a/vmware_nsxlib/v3/client_cert.py b/vmware_nsxlib/v3/client_cert.py
index 67455fa8..6ff7751a 100644
--- a/vmware_nsxlib/v3/client_cert.py
+++ b/vmware_nsxlib/v3/client_cert.py
@@ -334,9 +334,8 @@ class ClientCertificateManager(object):
     def _register_cert(self, cert, node_id):
         cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
 
-        self._nsx_trust_management.create_cert_and_identity(self._identity,
-                                                            cert_pem,
-                                                            node_id)
+        self._nsx_trust_management.create_identity_with_cert(
+            self._identity, cert_pem, node_id, 'enterprise_admin')
 
 
 class ClientCertProvider(object):
diff --git a/vmware_nsxlib/v3/trust_management.py b/vmware_nsxlib/v3/trust_management.py
index 168694de..b6afed68 100644
--- a/vmware_nsxlib/v3/trust_management.py
+++ b/vmware_nsxlib/v3/trust_management.py
@@ -84,7 +84,7 @@ class NsxLibTrustManagement(utils.NsxLibApiBase):
                 arg_val=permission_group,
                 arg_name='permission_group')
         body = {'name': name, 'certificate_id': cert_id,
-                'node_id': node_id, 'permission_group': permission_group,
+                'node_id': node_id, 'role': permission_group,
                 'is_protected': True}
         self.client.create(ID_SECTION, body)
 
@@ -101,7 +101,6 @@ class NsxLibTrustManagement(utils.NsxLibApiBase):
 
         if not isinstance(cert_pem, str):
             cert_pem = cert_pem.decode('ascii')
-
         cert_ids = [cert['id'] for cert in certs
                     if cert['pem_encoded'] == cert_pem]
         if not cert_ids: